[Skip to content]

East Midlands Strategic Health Authority
Search our Site
.

Registration Authority Policy

1. INTRODUCTION

With the implementation of new national and local systems/applications in line with the NHS Connecting for Health (CfH), it is important that all staff understand the importance of ensuring that secure access to systems is maintained at all times, and that all access should be on a ‘need to know’ basis only. New applications will use a common security and confidentiality approach to accessing patient information, which is based upon the NHS professional’s organisation, area of work and the role they perform.

This document is intended to provide clear guidance on the roles and responsibilities for users of CfH Applications. Accessing patient Information will be through the issuing and use of a Smart Card and Personal Identification Number (PIN).

2. ACCESS TO INFORMATION

Access to Patient Identifiable Information through any application will be granted in line with Caldicott Principles, the Data Protection Act 1998 and the SHA Information Security Policy.

As part of their treatment, patients entrust the NHS to collect sensitive information relating to their health and other matters. They do so in confidence and they have the legitimate expectation that staff will respect this trust.

It is essential that legal requirements are adhered to and the trust of patients is retained. The NHS must provide a confidential service and it is imperative that this is conveyed to our patients.

If you have been authorised access to applications and have a legitimate relationship to patient information through your job role, i.e. a direct clinical relationship, you have the responsibility to use this access responsibly, appropriately and on a ‘need to know’ basis only.

Inappropriate access to patient information will lead to disciplinary procedures. This includes for example:

  • Accessing your own information.

  • Accessing friends/relatives/colleagues information.

  • Obtaining address information for non work related reasons

  • Providing patient information to unauthorised users and/or external agencies.

 

For a comprehensive explanation of inappropriate access, please contact your local Data Protection Officer.

Confidentiality, Information Security and compliance with the Data Protection Act are the responsibility of all NHS staff.

3. REGISTRATION AUTHORITY RESPONSIBILITIES

The Registration Authority (RA) is the overarching body within the SHA with the appropriate organisational authority. The RA is responsible for ensuring that all Page 6 of 20

aspects of the registration service are performed in accordance with National and Local Policies and Procedures (Appendix 1).

They are responsible for providing arrangements that will ensure tight control over the issue and maintenance of electronic Smartcards is maintained, whilst providing an efficient and responsive service that meets the needs of the users.

The Registration Authority is made up of the following:

  • Senior Executive

  • Registration Authority Manager

  • Registration Authority Sponsors

  • Registration Authority Agents

 

All RA Members must be provided with sufficient training in order to carry out their RA responsibilities in accordance with National and Local Policies and Procedures.

The services provided by the Registration Authority are:

  • User Registration

  • Role Profile maintenance

  • Adding Role Profiles

  • Changing Role Profiles

  • Deactivating Role Profiles

  • Revocation and Cancelling of Smartcards

  • User Suspension

  • PIN/Pass-code resetting

  • Smartcard renewal and exchange

  • Maintenance of Fallback Cards

 

The SHA Registration Authority also provides the following specific services to the wider East Midlands Local Health Communities:

  • Appointment and Registration of LHC RA Managers

  • Maintenance of LHC RA Manager profiles

  • Distribution of blank smartcards to LHCs

 

3.1. Registration Authority Manager Responsibilities

The RA Manager is nominated by the Trust Executive and is responsible for the set up and day-to-day running of the SHA’s RA service.

They must ensure processes and procedures are agreed, implemented and adhered to in accordance with local and national policy and ensures quality assurance of all aspects of the registration process.

The SHA RA Manager appoints and manages the Registration Authority Agents and Sponsors within the local organisation, and identifies any training requirements.

The SHA RA Manager registers and manages Registration Authority Managers for trusts and shared services within the East Midlands Local Health Community, and keeps up to date records on who these appointees are. Page 7 of 20

The RA Manager must ensure Smartcards are available for distribution.

The RA Manager will ensure that mechanisms are in place to ensure that users are made aware of any changes to terms and conditions.

The RA Manager is responsible to the Trust Board via the Trust Executive in all aspects of the registration process and compliance audits.

3.2. Registration Authority Sponsor Responsibilities

RA Sponsors will be appointed and entrusted to act on behalf of the organisation in determining access rights and maintaining the appropriateness of that access.

They have the following responsibilities: -

Identification of the type and level of access to information that a user requires.

  • Arranges users to be issued with Smartcards.

  • Confirmation of the identity of the user.

  • Ensures leavers associated roles are revoked.

  • Resetting PIN’s by initially verifying the identity of the user of the card, (this cannot be done remotely).

 

Sponsors will be held accountable to the Organisation for their actions and must ensure only necessary access is granted to staff.

Sponsors must be identified and approved by the Trust Executive and the RA Manager as being suitable by virtue of their status and role and have sufficient seniority to understand and accept the responsibility required.

Where the RA Sponsor is not also the Line Manager, it is their responsibility to ensure that Line Managers follow Organisational guidelines in respect to starters and leavers. This also includes where staff have a change in the role they perform.

Organisation Departments can appoint Deputy Sponsors to ensure Business Continuity should they see a requirement to do so. Deputy Sponsors will only have access to the card management services for resetting PIN numbers, and renewing smartcard certificates. They will not be authorised to verify identification or allocate users roles on Applications.

The RA Manager will maintain a list of Sponsors, and make it available to those who need it.

3.3. Registration Authority Agent Responsibilities

RA Agents are responsible for the following:

  • Accepting applications for Smartcards.

  • Verifying identification information with the user.

  • Issuing Smartcards.

  • Reissuing lost or stolen Smartcards.

  • Revocations of access and terminations of the use of Smartcards. Page 8 of 20

  • Informing users of their rights and responsibilities.

  • Assisting the RA Manager with compliance audits.

  • Providing support to RA Sponsors on process, hardware and application problems.

  • Ensuring documentation is stored and archived appropriately.

  • Raising RA issues to the RA Manager.

 

3.4. Line Manager Responsibilities

Line Managers will manage the Registration Process for their staff. This includes liaising with RA Sponsors (unless the Line Manager is also the Sponsor) and RA Agents.

Line Managers must ensure that the starters and leavers process for the Organisation is adhered to at all times.

All new starters must be given the appropriate access levels to applications in line with the role they perform.

Staff access levels must be revoked in a timely manner when moving from one department to another. The new Line Manager is responsible for requesting the allocation of access for his or her new role.

If the member of staff is leaving the NHS entirely, all access levels must be revoked and the Smartcard must be retrieved from the member of staff on the last working day.

Line Managers will be responsible for disciplinary procedures relating to inappropriate use of Smartcards, sharing Smartcards, lost, stolen and forgotten Smartcards.

All security incidents must be dealt with in accordance with organisational policies and procedures

Wherever there is a temporary or permanent change in the way a person works, a review of the person’s smartcard access must be carried out. If there are significant changes to the staff member’s role, the relevant Role Profile on the Spine User Directory must be updated by an RA Agent or RA Manager. Examples that would necessitate such changes to a person’s profile include:

  • Job Title

  • Access Requirements

  • Department

  • Site

  • Work group

 

Where new roles are being added or roles are being changed, the Registration Sponsor of the relevant work area will complete an RA02 form which is used to update the user’s profile.

When a particular role comes to an end the profile must be updated by deactivating the role as soon as is practical after the role has ceased. This is done using an RA02 form. Page 9 of 20

New roles should be added to the Users Spine User Role Profile, and this should be completed a maximum of 3 days prior to the start of the new role, in order that it is available for use.

3.5. Issue of Smartcards

If it is determined that the role of a member of staff requires access to an application, they must be registered as an Authorised User. Appropriate access must be organised through the Line Manager and Registration Authority Sponsor (the line manager may also be the RA Sponsor).

The access allocated to staff must be based on the role they perform and must be agreed by their Line Manager and RA Sponsor before any Smartcard is issued.

New starters, and employees who have been in their current role for less than two full years or have not been known to their current Line Manager for two years or more, will be required to provide photographic proof of identity, either a driving licence or passport. A proof of address in the form of two community bills will also be required.

When a Smartcard is issued and a Personal Identification number (PIN) registered this must not written down or shared with anybody else. Smartcards must be kept secure at all times.

ONCE ISSUED, YOUR CARD IS YOUR RESPONSIBILITY.

Access gained through the use of a Smartcard will be viewed as individual access, and any inappropriate use will be the responsibility of the assigned user.

All Smartcard holders have undertaken to agree and adhere to all organisational policies relating to security and confidentiality.

A full list of policies and how to access them can be found at Appendix 1.

4. REGISTRATION AUTHORITY PROCESSES

The RA will ensure that processes supporting the identification, registration and management of staff will be wherever possible integrated with other SHA processes. These include for example:-

  • Starters and leavers processes.

  • The treatment of Agency, locum and bank staff.

  • Identity Management

  • Disciplinary policy –Trust procedures will be followed.

 

This policy and procedure document will be open to scrutiny by both internal and external audit.

4.1. Starters

As part of the normal induction process, new staff required to use CfH applications will be introduced to the relevant Sponsor, who will identify the appropriate role profile for the user, and take them through the RA process. Page 10 of 20

This could be how to become registered or, if the User already holds a Smartcard issued by another NHS organisation, adding the necessary Role Profile/s.

New starters will be trained on the aspects of CfH Application use relevant to their role/s. (This guidance should be written as well as verbal), and trained on the National and PCT RA processes.

Where full registration is required, the Applicant will be required to bring suitable forms of identification with them.

Where staff are recruited to a role which requires access to CfH Applications it is important that the following points are considered:

  • Checks on an applicant’s ID are made as part of the recruitment process to ensure that RA Level 3 identification requirements can be met

  • Offers of employment are dependent on the applicant’s ability to meet and continue to meet all requirements for CfH access

  • Induction processes include the issuing of Smartcards (where the applicant is not an existing Smartcard holder) and adding of the appropriate role profile(s)

  • Staff must sign to acknowledge that they have read and understood the policies and procedures governing the use of Smartcards and CfH Applications (RA01 form)

 

All the above processes will be integrated as much as possible into the standard employment processes of the SHA to prevent duplication.

4.2. Leavers

When staff are leaving, the following points must be considered:

  • All role profiles in the CfH Spine User Directory pertaining to the employee must be deactivated as soon as is practical.

  • If the User is transferring to another NHS related location e.g. GP practice, Acute Trust etc. and they can provide details/proof then the current registration details will be copied and sent to the new location – the user is allowed to retain the Smartcard but their role profile in the SHA organisation will be removed.

  • Staff permanently leaving the NHS should have their certificates revoked and the Smartcard issued to them should be destroyed.

  • The ‘users’ sponsor must advise the RA by completing a RA03 form, and where possible giving a minimum of 2 weeks notice.

  • Leavers’ procedures should be actioned in advance of the person leaving so that Smartcards can be physically recovered and access to confidential systems revoked at the appropriate time. Page 11 of 20

 

4.3. Changes in Users Roles

Smart Card Users involved in a change of job or responsibilities may require different Role Based Access Codes to be identified against them on the Spine User Directory (SUD) and for appropriate access levels to be granted within systems for them to be able to adequately perform their duties. These changes must be notified to the Registration Authority for the authorised changes to be actioned. This is achieved by a Users Sponsor completing a RA02 document and sending it to the RA Agent.

The RA Agent will from time to time carry out a validity check by listing the roles allocated against Users and asking Sponsors to sign off that they are accurate and complete.

4.4. Contractors

Contractors are persons not employed directly by the Trust. The SHA will ensure all contractors who need to use the CfH applications are bound to the Data Protection Act and the NHS Confidentiality Code of Practice (www.dh.gov.uk). This will include the process to be taken in cases of a breach and liability issues.

Contractors operating within the SHA areas of operation and requiring a Smartcard will be approved at the relevant Director level. The individual contractor must also sign a domestic form indicating that although they are not employed by the Trust they are prepared to accept the conditions of issue of the card as if they were.

4.5. Standard Process for SHA Staff

To achieve the required Level Three Assurance (combination of Smartcard, verification of identity and PIN code to unlock the Smartcard) the primary method of registration should be ‘face to face’ between the Certificate Applicant and the registration official. Smartcards cannot be shared by individuals or groups of staff e.g. agency staff or bank nurses. Cards will be issued using the National process described in Appendix A of NPfIT-FND-IMD-IME-0182: Registration Authorities Operational Process and Guidance.

4.6. Temporary & Fallback Cards

Fallback Smartcards provide the facility for existing registered Spine System Users to access systems in the event of their registered card being unavailable. This is an emergency system only. Fallback cards can ONLY be used for a maximum of 12 hours, to users who have already been registered and given their own smartcard.

The Organisational Sponsor is responsible for the use of fallback cards in their work area.

 

All Use of fallback smartcards must be recorded on the Fallback Card Usage Log, (RA04) in order that audit can be carried out. Page 12 of 20

 

5. MANAGEMENT AND USE OF RA EQUIPMENT

The RA Manager is responsible for ensuring that adequate numbers of Smartcards are available and for maintaining the Smartcards throughout their useful life, both locally to the SHA and to the wider East Midlands Health Community. Please see section 6.2 for further detail.

The RA team keeps a record of all SP35 datacard printers that are in use within the East Midlands Health Community, and is shared with the printer manufacturer for purposes of warranty. It is the responsibility of individual LHC RA Managers to arrange repair of faulty printers directly with the manufacturer.

All RA equipment will be subject to policies and procedures governing the management and control of Assets and will include as a minimum an Asset Inventory and Stock Record of the Smartcards held.

6. MANAGEMENT OF CFH APPLICATION USERS

Information contained within this section is applicable to both SHA staff requiring registration, and Local Health Community RA Managers who need either registration or profile amendments. The appointment and management of LHC RA Agents and Sponsors is the responsibility of the LHC RA Manager.

6.1. Registration Forms

The SHA will ensure the latest version of the RA forms are used, as published on the http://nww.connectingforhealth.nhs.uk/implementation/.

All RA Team members will receive Training on the RA forms and their use. Specific training will be arranged whenever RA forms are changed significantly.

6.1.1. RA01 Form

The RA01 form is used to record the registration of new CfH Application Users as published on the national website http://nww.connectingforhealth.nhs.uk/implementation/.

The RA01 form is made up of 2 documents: Registration, and Conditions.

The Registration document is completed by the applicant and signed off by the Sponsor.

The Conditions document is retained by the applicant for reference purposes.

The RA01 Form is held by the applicant or Sponsor until the RA Manager/Agent registers the applicant on the national Spine User Directory.

Once registration is completed the RA01 form is delivered securely to the RA where the forms are logged and filed, to be available for RA Staff / Sponsors and Auditors as necessary. RA forms when transferred in the post should be contained in sealed opaque envelopes. Page 13 of 20

6.1.2. RA02 Form

The RA02 form is used to record changes made to an existing User Role Profile(s).

Whenever a change to a User’s Role Profile is identified the relevant Sponsor must be requested to authorise the changes required.

Once the relevant Sponsor has authorised the change(s) the RA02 form shall be processed by the RA.

Once the Sponsor has completed the changes on the RA02 form it must be delivered securely to the RA office, where the RA forms are logged and filed, to be available for RA Staff/Sponsors and Auditors as necessary. RA forms should be transported in sealed opaque envelopes.

6.1.3. RA03 Form

The RA03 is used to record revocations. Whenever it is necessary to revoke a certificate associated with a Smartcard an RA03 form must be completed and signed by the Sponsor. Sponsors should only do this when it has been confirmed by HR that the user is leaving the organisation or in the case of disciplinary action, on the express request by HR. Once completed the RA03 should be sent to the RA Team for processing. A distinction needs to be made between those persons leaving the organisation and those leaving the NHS. If the latter is the case full revocation should take place and the card should be sent with the RA03 for destruction to the RA Office. If the former applies the RA Team will close the persons roles on the national Spine User Directory but the person will be allowed to take their Smartcard with them to their new organisation.

Once the sponsor has completed the changes on the RA03 form, the form and Smartcard will be delivered securely to the RA office where arrangements will be made for the person’s registration and certificates to be revoked. The RA03 Forms will be logged and filed in the RA office and will be made available for RA Staff/Sponsors and Auditors as necessary.

Smartcards should be retained by the SHA RA office and then destroyed as soon as is practical after the staff member has ceased employment.

6.1.4. Forms RA04 & RA05

The RA04 Form is completed by the organisational ‘sponsor’ and is specifically related to Fallback Cards. Any change to the cards profile must be actioned via the RA04 and be subsequently approved by the RA Manager.

The RA05 Form is to be used where users change their names. In accordance with current legislation and HR practices this cannot be actioned for frivolous reasons and evidence should be produced that the change has legality e.g. Deed Poll or Marriage Licence. Page 14 of 20

Abbreviated names are permissible without evidence where the RA01 records the person’s legal name but also discloses their preferred name (e.g. Robert and Bob).

6.1.5. Forms RA06 & RA07

The RA06 Form is designed to allow the Sponsor to apply to the Registration Authority for a Positions access profile to be changed. A Position change is where the Organisation, Job Role, Area of Work, Activity or Workgroup are added/removed to the position.

The RA07 Form is designed to allow the Sponsor to apply to the Registration Authority for a Templates access profile change for a Template. A Template change is where the Organisation, Job Role, Area of Work, Activity or Workgroup are added/removed to the Template.

6.2. Smartcard Management

Smartcards will be regarded as secure stationery within the SHA RA Office and kept in a fire proof cabinet to prevent loss or damage. The following controls are also required:-

For the Local Organisation:

  • A record will be kept of all cards issued to individuals by the RA Office.

  • Issued Cards and cards for revocation will not be sent in the internal post.

  • Unused (blank) Smartcards should be treated with the same level of security as blank cheques etc.

  • Recipients of the cards should sign for their receipt.

  • Recipients of the cards should be fully aware of their responsibilities in protecting the card from loss or misuse.

  • A stock record of the number of cards issued and kept on hand will be maintained. The stock on hand will be subject from time to time to verification procedures.

 

For the East Midlands Health Community:

  • 6 monthly LHC forecasts will be taken to ensure stock levels of smartcards are appropriate.

  • Records of cards ordered and distributed will be kept.

  • Recipients of bundles of smartcards will need to confirm receipt via email, to be sent to the Q33_Contractual mailbox. Failure to acknowledge receipt of cards will result in their cancellation.

 

6.3. Smartcard Security

Authorised users of smartcards are required to observe the following security practices:

  • Keep smartcards secure. Do not store card and PIN number together.

  • Do not share Smartcards, pass codes or shared secrets with other users.

  • Report any observed instances of others abusing the Smartcard system.

  • A stock record of unused cards will be kept by the RA.

 

6.4. Lost, Stolen and Broken Smartcards

Lost and damaged Smartcards should be reported to the RA Team immediately or as soon as it is practical to do so. Page 15 of 20

Once notified that a Smartcard has been lost or damaged, the RA office will arrange to have the lost/damaged Smartcard revoked immediately and replaced (see below) as soon as possible, ideally within two working days. In the case of loss or theft the RA Manager must be informed so that checks can be made to ensure that the Smartcard has not been misused.

When an issued Smartcard becomes unusable or it is lost or stolen the Smartcard certificate must be revoked, see section 6.8: Leavers and Revocation. Revocation renders the Smartcard useless.

The Smartcard holder’s identity must be verified at a face to face meeting for a new Smartcard to be issued.

If there is any difficulty verifying the user’s identity the user’s Sponsor must be contacted and the users identity verified. It is vital that the Sponsor’s identity can be relied upon when contacting them to verify the user’s identity.

Wherever possible the photograph of the person held on file will be used to authenticate a person’s identity.

When handed their new cards staff will be asked to sign a receipt document and indicate the cause of loss.

Persons losing their card will be asked for a formal explanation, and this will be used for monitoring purposes. Repeat instances of card loss will be referred to the user’s line manager for review.

6.5. PIN/Pass-code Unlocking/Changing

The following instances need to be reported to RA sponsors as soon as possible for further action:

  • Forgotten PIN/Pass-codes;

  • Suspicion that PIN/Pass-codes may be known by another;

  • Lock out of CfH Applications because of three failed login attempts.

 

The sponsor or their deputy will arrange to resolve the issue in the presence of the user of the smartcard. In the absence of Sponsors the situation should be referred to the RA Office, the RA Manager or Agent will arrange to have the PIN/Pass-code changed with them. This task must be carried out by a Registration Agent or Sponsor, and the Smartcard holder must be present. Users are able to change their PIN numbers whenever they wish or are required to do so. It is advisable for PIN’s to be changed every 3 months.

6.6. Smartcard Misuse

All registered applicants for a Smartcard sign an agreement for its use before registration. If Smartcard misuse is discovered the appropriate disciplinary measures must be taken. A staff member must report suspected Smartcard misuse in line with the SHA’s incident reporting policy.

Depending on the severity of the allegation an investigation may be required. In certain cases this will require immediate revocation of the Smartcard and termination of any active application sessions the user may have at the time Page 16 of 20

the revocation decision was taken. Form RA03 must be completed if a Smartcard is to be revoked.

The RA Manager will consult the SHA’s HR representatives as to how allegations of misuse are progressed.

6.7. Profiles

The information a user is able to access is based on the information in their profile.

Whenever there is a temporary or permanent change in the way a person works, a review of the person’s CfH Application access must be carried out. If there are significant changes to the staff member’s role the relevant Role Profile on the CfH Spine User Database must be requested via a suitable Sponsor. Examples which would require such modifications are changes to a person’s:

  • Job Title

  • Access requirements

  • Department

  • Site(s) of working

  • Work Group

 

Where new roles are being added or roles are being changed the Registration Sponsor of the relevant work area will complete an RA02 form which is used to update the user’s profile.

Similarly a person’s change in location/work area will require the completion of a RA02.

When a particular role comes to an end the profile must be updated by deactivating the role as soon as is practical after the role has ceased.

For users leaving the NHS refer to section 6.8: Leavers and Revocation.

New roles should be added to the User’s Spine User Directory entry a short while (a maximum of three days) prior to the start of the new role so that the profile is available for use.

6.8. Leavers and Revocation

During the leaving process HR will establish whether the User is leaving the NHS permanently (retirement, education or a non-NHS job) or joining another NHS organisation.

Where the User is moving to another organisation the Sponsor will notify the RA Manager (preferably two weeks in advance and by using a RA03 Form) who will arrange for any Role Profiles associated with the PCT to be deactivated.

There are occasions when it is necessary to deactivate a Smartcard by revoking the Smartcard certificate. Reasons for this include:

  • The Smartcard is lost or stolen. Page 17 of 20

  • There has been some other security breach associated with the Smartcard or Smartcard certificate.

  • The user is no longer employed by an NHS organisation.

 

SHA organisation revocation tasks can only be carried out by the RA Manager and the RA Agent.

Revocation of LHC RA Managers can only be done by the SHA RA Manager.

In both instances, where the revocation is needed due to a staff member leaving the NHS, the Sponsor will inform the RA Manager on a RA03 Form, so that the correct actions can be taken.

Information on leavers should be given by HR to the RA Manager. This should be reconciled to the data given by Sponsors to ensure all leavers have been identified.

Where the revocation has been requested because of security related events the RA Manager will authorise the appropriate action and inform the following staff as appropriate:

  • The Head of Information Governance

  • The Caldicott Guardian

  • The HR Manager.

  • The relevant Sponsor(s).

  • The RA User

 

Revocation renders the Smartcard useless.

6.9. Locums, Agency and Bank Personnel

Temporary staff may need access to CfH records as part of their role. The following points should be considered:-

  • Staff working as part of a team may not need a Smartcard to fulfil their role.

  • Some temporary staff could already be a Smartcard user and only require an amendment to a role profile. This will be supplied by the new organisation sponsor and will be evidenced by submission of a RA02 Form.

  • Temporary staff who are Smartcard holders may not have sufficient training for the particular CfH Application they need access to.

 

If the user is not a Smartcard holder and needs access to an CfH system, procedures should be invoked as for a new starter, involving identity authentication, completion of a RA01 Form, registration of the users profile and the issue of a Smartcard.

For lost or damaged cards a User should initially contact their sponsor. The sponsor may then refer them on to the RA Manager. For all other application support the User should contact the IT helpdesk on 01332 868900. Page 18 of 20

6.10. Card Census Exercise

When workloads and resources permit, exercises will be mounted to contact operational departments and obtain from them a list of the current staff employed, and these will be used to reconcile RA records and the Spine User Directory.

6.11. Certificate Renewal

Certificates used in the registration procedure and automatically written within the system have only a fixed life (currently 2 years). A print out is held of the expiry dates which will require the card being re-issued and the certificates re-written.

7. REGISTRATION AUTHORITY AUDIT

The management and use of Smartcards will be subject to internal and external audit to ensure that national and local policies are being followed.

Auditors may also look to confirm that:

  • Smartcards are handled securely by the RA Office and Users.

  • RA documents are used and stored appropriately.

  • Access to CfH Applications and Records is controlled appropriately.

  • Unused Smartcards are stored safely and appropriate records are kept.

  • RBAC role allocation and de-allocation is performed appropriately.

To aid audit the following records will be maintained by the RA Office:

  • Lists of sponsors and their signatures.

  • Issues and incidents encountered (RA Sponsors should also keep a local log of issues)

  • Smartcard stock record.

  • Record of Training.

  • Lists of LHC RA Managers

 

8. RECORDS MANAGEMENT

East Midlands SHA will ensure that the requirements for the retention of evidentiary information used for RA authentications are met as defined in the Health Service Circular HSC 1999/053: For the Record – Managing Records in Trusts and Health Authorities.

The following extract applies for the retention requirements of Establishment Records – Major, a category that includes personnel files: ‘Keep for 6 years after subject of file leaves service, or until subject’s 70th birthday, whichever is the later. Only the summary needs to be kept to age 70; remainder of the file can be destroyed 6 years after the subject leaves service’.

Suitable secure storage will be arranged for records held centrally. Page 19 of 20

The SHA will not copy ‘active in the community’ documentation for storage. Instead the RA agent will record the type of ‘active in the community’ documentation viewed on the relevant area of the RA01 form.

Where RA documentation contains personal information it will be securely stored in compliance with The Data Protection Act 1998.

The reference numbers and other relevant details of the identification evidence obtained should be recorded to enable the documents to be obtained again. Where checks are made electronically, a record of the actual information obtained, or a record of where it can be obtained should be kept.

9. POLICY REVIEW

Given that this is a new initiative and national guidance is ongoing, it is expected that these procedures will require review and amendment. These will be approved by the Joint Information Governance Group as and when the need arises but a formal review will be undertaken one year from the initial approval and acceptance date.